Title: Migrating to Cloud-based ERP solution
A. ABC Automobiles Ltd is luxury bus maker in South India, having adequate infrastructure of technology with respect to changing environment. Company is having four branch office and more than 300 employees including at branches. Out of 300 employees, more than 40 employees are engaged in finance and accounts departments. At present company is maintaining a non-integrated accounting software, which require maintaining huge documentation.
Now with the changing environment and future business growth company board decided to migrate ‘Wilson’s On Cloud Solution (WOCS) a ERP software from existing non-integrated software. The new ERP software will provide all business process function start from sales and marketing, purchase management to payroll and inventory management , financial and management accounting etc to know the real time business information.
B. ABC Automobiles Ltd (auditee) appointed M/s XYZ Enterprises LLP (Chartered Accountants known as auditor) to conduct the Cloud ERP System Audit of auditee. Auditor firm is having huge experience in conducting IS Audit. Firm is having 5 partner (CAs), 3 system auditor (CISA) and 5 other technical staff all having good knowledge and experience in their respective domain.
QUALIFICATION : M.Tech, Phd (IT), BE (Software)
DESIGNATION : Software Engineer and Programmer
Nature of business:-
ABC Automobiles Ltd is a company that builds luxurious buses in South India. The company specializes in making large buses for passenger transportation. They
Company board consists of 7 director, one Managing Director (CEO), one Finance Director (CFO), Sales & Marketing Director, Chief Operational Director (COO), Chief Information Office (CIO), 2 Executive director. Board sets policy and procedure and laid down the strategy to complete business task, which will be executed and implemented by managerial and operational staff, which consists of each individual department head to operational level staff member.
At present company is following a non – integrated accounting software which will no longer useful looking to changing business technology and growing changes in technology environment. At present company infrastructure is well equipped. But company is not following any ERP Software to integrate its all business function via one single platform. But MD is confident of the view that by providing adequate training we can train finance and accounts departments to cloud based ERP acquaintance.
By implementing this approach, the company can forego the need to invest in additional servers and hardware storage, thereby leading to a reduction in operating expenses (OPEX).
Internal Policies and Procedure:-
ABC Ltd. has successfully implemented the best-in-class security and control practices to safeguard its Cloud IT infrastructure. The company’s security system undergoes a meticulous audit conducted by independent ISO auditors, as mandated by ISO 27001 & ISAE 3402, to attain certification. Additionally, ABC Ltd. regularly subjects its security system to IS Audits, adhering to global best practices. By adopting such stringent measures, ABC Ltd. ensures the highest level of security and protection for its cloud-based IT infrastructure.
6. Logistic arrangements required
Auditor requires following Hardware, Software (application and system), Information, and System Configuration documentation.
- 1. Hardware:- Auditor (XYZ Enterprises LLP) need 3 laptop, 4 desktop, networking cables, data cable, power backup equipments for execution of the assignment. All hardware must be configured in such a manner to be compatible with software.
- 2. Software (Application as well as System):- We need licensed software to be installed in all desktop , laptop so as to work in auditee IT environment with high bandwidth of internet speed.
- 3. Information:- We need the information to be audited that may be data, audio, video, electronic form data, images etc
- 4. System Configuration Documents :- We need system configuration documentation from supplier or vendor of hardware, software, source code to understand technical things clearly.
ISO 27001 Information Security Management System:-
It is systematic approach to manage sensitive company information to maintain the same in secure mode. It includes people, processes and IT System by applying a risk management process. Company (auditee) has taken certificate from ISO organization stating that it meets objectives of ISO 27001. The aim is provide confidence and assurance to clients and customers that it follows best accepted business practices.
Use of CAAT Tools (Computer Aided Audit Techniques):-
The use of CAAT tools improves the audit process and help in data extraction and analyzing software. Following are the techniques:-
7. Methodology and Strategy adapted for execution of assignment
Cloud Computing Audit Program by ISACA:-
1. Planning and Scoping of Audit :-
- 1. Define the audit or assurance service objective.
- 2. Define the boundaries of review.
- 3. Identify and document risks.
- 4. Define the required audit resources.
- 5. Define the deliverables and communications.
2. Operating in the Cloud:-
- 1. Incident Response, Notifications
- 2. Application security
- 3. Data Security and integrity
- 4. Identity and Access management
- 5. Virtualization
3. Governing the Cloud:-
- 1. Governance and enterprise risk management (ERM)
- 2. Legal and electronic discovery
- 3. Compliance and audit
- 4. Portability and interpretability
Audit Program or Audit Procedure:-
Below is audit procedure with COBIT Framework, auditor has defined control objective and procedure thereof the same.
|S. No||COBIT Control Objective||Audit Procedure|
|1||Benefit Management (Acquire, Plan and Organize)||Review process for developing metrics for measuring benefits. E.g. Guidance from domain expert, industry analyst.|
|2||Supplier Contract Management (Acquire and Implement)||Confirm through interviews with key staff members that the policies and standards are in place for establishing contracts with suppliers. E.g. Legal contract, financial contract, intellectual property contract etc.|
|3||Supplier Performance Monitoring (Deliver, Service and Support)||Inspection of supplier service report to determine supplier performance is in alignment with pre defined SLAs and supplier contract.|
|4||Identity Management (Deliver, Service and Support)||Every user have unique and generic id and access right to system is as per documentary business process framework.|
|5||Network Security (Deliver, Service and Support)||Confirm with organization that there is network security policy has been established and maintained in organization. Further confirm that all network component are updated regularly such as routers, VPN switches etc.|
|6||Information Exchange (Deliver, Service and Support)||Confirm with organization that proper encryption policy in place to exchange information outside the organization.|
|7||Contract Compliance (Monitor and Evaluate)||Review policies and procedure to ensure that contracts with third party service provider for compliance with applicable laws, regulation and contract commitments.|
|8||Data Integrity (Deliver, Service and Support)||Determine that a policy has been defined and implemented to protect sensitive information from unauthorized access, have authentication codes and encryption.|
8. Documents reviewed
We reviewed following document during execution of this assignment for identifying control and weakness thereof.
- 1. Information Security Policy:-First we reviewed Information Security Policy (ISP) of company and policy content to check whether policy meets objects of organization and its stakeholders. Board is responsible for framing policy.
- 2. Organization Structure:- Auditee organization is in proper hierarchy such as finance and accounts department, sales and marketing, purchase and production, payroll, inventory management etc in order to run proper functionality of organization.
- 3. Service Level Agreement or Vendor Contract:- Auditor has read and understand all the terms and conditions of SLA. Any terms which is harmful for the company, the same has been discussed with management in order to secure stakeholder interest.
- 4. Access Matrix:- Auditor has reviewed the access matrix list, which includes list of employee and their extent to which they have data access right.
- 5. Audit Findings:-Auditor finding are as follows with respect to Cloud Service Provider:-
- 1 Auditor reviewed firewall and anti-virus program of company in order to secure data or unauthorized access.
- 2 Auditor reviewed alternates delivery site of working, in case CSP fails to provide service due to some circumstances.
- 3 Auditor reviewed the backup policy and the methodology of backup, how backup will be taken and time frame thereof.
- 4 Auditor reviewed the DRP (Disaster Recovery Plan), how company can continue its business function even if business is discontinued due to earthquake, tsunami, flood, fire etc.
- 5 Review external and internal policy which affect organization business both internally and externally.
We have taken references from below these:-
- 1. ISA Background Material
- 2. ISACA Audit Program and CAAT Tools
- 3. ISO Standard 27001
The following table summarizes the review area and relevant finding, auditor suggestion and risk rating.
|S. No||Auditor’s Findings||Auditor’s Recommendation / Suggestions||Risk Rating|
|1||Technology Selection:- Before moving to cloud organization (auditee) did not performed cost benefit analysis.||NIL||Low|
|2||Physical Access Control:- Accessibility of data should be allowed to person authorized only. Since data may be sensitive to its stakeholder.||Organization should apply biometric devices so that history can be saved.
Organization should adopt maker and checker rule.
Use Audit trail to check, who access the data previously and user activity.
Use Clean Desk policy in order to secure sensitive data in paper form etc.
|3||Login Access Control :- In this scenario every user have unique login access control and they can access data for which they have permitted for transactions.||This concepts help to prevent any unauthorized data accessibility. No user can approve or authenticate data. Eg Login id password, using network monitoring and using access control.||Medium|
|4||Audit Trail:- In this scenario we can identify who last logged in, user activity and time spent by previous users.||With the help of this concept, user don’t work within the rights assigned to them in order to maintain data security and integrity, Even if anybody attempts to work beyond rights to his/her. The same is traceable. User personal accountability also exists.||Medium|
|5||Firewall:- Any data coming or going outside the organization boundary is filtered in firewall system. The system in which firewall is installed is called Beston Host.||Firewall act as a security between public and private network and checks any data packets coming from outside world into private network, since it checks data packets for authentication and authorization etc. Organization should install all firewall namely proxy server, network level, application level and stateful inspection.||Medium|
|6||Data Privacy and confidentiality:- Accessibility of customer data is restricted to respective organization and its authorized personnel, not to be shared with other organization or other personnel.||Organization should establish policy in such a manner to maintain data privacy with other service receiver with same cloud service provider.||High|
|7||Service Level Agreement :- Any terms and condition which is harmful for auditee organization such as block out , disruption in service.||Organization and CSP should meet in order to resolve the conflict and let them know about alternates sites by which service will be provided in case of emergency failure of main sites.||Medium|
|8||Natural Disaster Events:- Organization should consider natural events such as earthquake, tsunami, flood, fire etc.||Organization should have one additional BCP site with wholly IT Infrastructure in case of natural disaster so as to continuity of normal business function without disruption.||High|
Implication of High, Medium and Low:-
- • High:- The issue representing a finding that organization exposed to significant risk and require immediate resolution.
- • Medium:- The issue representing a finding that organization exposed to risk that require resolution in near future.
- • Low:- The issue represents a finding, which don’t require action from organization.
11. Format of Report/Findings and Recommendations
As mentioned in Point No 10
As per the discussion held with the management, the BOD of the company has initiated corrective steps to overcome the “high implication findings” in observed in the audit and those, which have medium implication; BOD would take corrective action as soon as possible. Since the company has migrated to “Cloud based ERP System”, so initially it will be difficult to adopt the newer technological environment perfectly by organization as a whole. However, the management is optimistic about future guidance with respect to adoption of technological changes and impact thereof on the organization.
DISA 3.0 Project Report on:
- 1. IS Audit of Banking Application
- 2. Security control review of railway reservation system
- 3. Review of cyber security policies and procedure
- 4. Security and control risk assessment of toll bridge operations
- 5. System audit of a hospital automation system
- 6. Review of vendor proposal for SaaS services
- 7. Information Systems audit of a mutual fund systems
- 8. Audit of outsourced software development
- 9. Network security audit of remote operations including WFH
- 10. Infrastructure audit of a Bank data Centre
- 11. Conducting vulnerability assessment and penetration testing
- 12. Auditing Business continuity plan for Manufacturing system
- 13. Assessing risk and formulating policy for mobile computing
- 14. Auditing robotic process automation system
- 15. Implementation of adequate governance in hotel management system
- 16. Outsourced migration audit of merger of Banks
- 17. Audit of an E-Commerce web site
- 18. Audit of Online booking system for a hotel chain
- 19. Audit of Business Continuity Planning of a financial institution
- 20. Audit of online brokerage firm
- 21. Audit of Security Operation Centre of a Bank
- 22. Audit of Cyber Security Framework of a PSB
- 23. EVALUATION OF OUTSOURCING IT OPERATIONS
- 24. Auditing SWIFT operations in a Bank
- 25. Project Report Template and Guidelines on Project Report Submission
- 26. Information Systems Audit of ERP Software
- 27 .Implementing Grc As Per Clause 49 Listing Requirements
- 28. Review of IT Security Policies and Procedures in audit
- 29. Evaluation Of Software Development Project
- 30. Auditing Business Continuity Plan